Depot is now SOC 2 compliant

Security and compliance are fundamental to Depot. We put a lot of effort into making sure we are not only the fastest place for building software but also the most secure. That ranges from the way we build our infrastructure to the way we build our software and, ultimately, the way we operate Depot day-to-day.

We're very excited to announce that Depot is now SOC 2 Type I compliant 🎉

We began our attestation process back at the start of January, but the controls and mechanisms that were evaluated have been in place since we first launched Depot. We've always been committed to providing a secure and compliant platform.

What is SOC 2?

Service Organization Control 2, or SOC 2 for short, is a compliance framework designed to ensure that companies handle sensitive data securely and protect the privacy of their customers.

In simple terms, SOC 2 compliance means that a company has established and follows strict procedures and controls to protect customer data. This includes things like having secure systems in place, monitoring for unusual activity, and ensuring that employees are trained in Depot's security and disaster recovery protocols.

In a nutshell, SOC 2 covers five different controls:

1. Security: The system is protected against unauthorized access (both physical and logical).
2. Availability: The system is available for operation and use as committed or agreed to.
3. Processing integrity: The system processes data accurately, completely, and promptly.
4. Confidentiality: Sensitive and confidential information is protected from unauthorized access.
5. Privacy: The system respects privacy policies and regulatory requirements when collecting, using, retaining, or disclosing personal information.

How we approached SOC 2?

Getting SOC 2 compliant is a significant undertaking, but it's simpler if you start building with security and compliance in mind from the beginning. Having a background in building secure systems and even obtaining SOC 2, FedRAMP, and other compliance attestations in the past, we were able to leverage that experience to build Depot with security and compliance in mind from the start.

To tackle the details, we divided and conquered the process into three main areas:

1. Tool selection: SOC 2 has come a long way in the past 5-10 years. There are now a lot of tools and services that can help you get compliant faster. We used Vanta, which automatically monitors and collects evidence to help us get compliant faster.

2. Documentation: We had to document all of our security and compliance processes, from how we handle customer data to how we handle security incidents. This was a significant effort, but it was made easier because we had already been following these processes from the start.

3. Audit: We partnered with an auditor who asked follow-up questions and clarified parts of our system based on our documented controls.

The process took about 3 months, including the audit period and initial setup.

What does this mean for you?

SOC 2 compliance is a significant milestone for both us and you. It means that you can trust Depot to handle your data securely and that we have the proper controls in place to protect your data. All verified by an independent third party.

We also have a SOC 2 report that we are happy to share with customers who need it, either to help them with their compliance journey or to learn more about how we manage and secure their data.

Compliance is never done, so ultimately, this is just the beginning. We will continue to invest in security and compliance to ensure that we always meet the highest security and privacy standards.

If you have any questions about our SOC 2 compliance or need a copy of our SOC 2 report, please don't hesitate to reach out.